How to Lock Invalid Usernames from BruteForce Attacks in WordPress
It is common that brute force attacks take place on WordPress login pages to guess username and passwords. Several plugins and htaccess codes are in place to thwart such illegal intrusion. One such way to lock invalid usernames and prevent unauthorized users from guessing confidential usernames is using the Wordfence plugin.
Most of the time naive WordPress admin users use easy guessing usernames like “admin”, “www”, sitename etc. In addition, due to password leaks, some of the common usernames are leaked. In my practice I found that Wordfence blocks several such attempts and also gives the common usernames used for hacking.
It is one of the best security methods that can fix invalid username problems. In this guide we are going to see a free way to block brute force attacks and the right settings.
How to Lock Invalid Usernames Attack in 2022?
- Install the free version of Wordfence login.
- Wordfence > Firewall
- Click on All Firewall Options on the right hand side.
- Next screen opens.
- Under Brute Force Protection, check the option for “Enable brute force protection” is turned on.
- Immediately lock out invalid usernames is checked.
- Immediately block the IP of users who try to sign in as these usernames text box is visible.
- Enter the common usernames like admin, www etc, which are used by hackers.
- Press Enter after each username.
- In due time, if you see further attempts with any other invalid usernames, you can add them also.
- Lock out after how many login failures – 4 to 6
- Lock out after how many forgot password attempts – 4 to 6
- Count failures over what time period – 12 hours to max
- Amount of time a user is locked out – 2 months
In this way you can prevent suspicious IPs from trying to log into your WordPress panel. It has the benefit of two things. One it prevents attacks and other saves precious CPU resources getting wasted due to these hacks.
Your wordpress admin panel will become a lot quicker with less number of attacks.